Try and view the source

[+] buro9|14 years ago|reply

I hit F12 in Chromium, dev tools open with the tree, knowing that I'm viewing the DOM and not the source I hit the Resources tab, and there is the source.

Not a problem at all.

In fact, I had to remember to go back to right clicking and View Source to try and figure out why this was so highly ranked and lots of the comments confused me.

Now I see why... but just like using JavaScript to try and detect right click, using replace state to try and obscure the source isn't likely to be effective in any reasonable way. I guess that's not the point, that this is more fun than anything someone will do, except... I bet someone does it on their live site.

[+] dazbradbury|14 years ago|reply

> I bet someone does it on their live site.

I doubt it, as this method breaks forward/back functionality, thus probably breaking most sites.

Having said that, for all links, you could do a further re-write using the history API, before allowing the redirect to take place. I guess that would actually make it usable even if, as you say, it's futile in the end.

[+] bri3d|14 years ago|reply

A clever use of history.replaceState and some special characters (to make it less obvious that the state's been altered) - "view source" in Chrome operates on the currently active URL, which after the replaceState has executed is the "not that easily" page.

You can also reproduce the behavior by navigating back, then forwards again - you'll see the "not that easily" page that way, as well (as the "try and view the source" page has been replaced in your history list).

[+] adamkhrona|14 years ago|reply

Just to add to this, the "special characters" are "%E2%80%AE" which is the escaped form of the UTF-8 "Right-To-Left Override" control character (which effectively reverses the display of text).

If you try copying the URL to plain-text, you'll see: http://www.kurlak.com/john/%E2%80%AElmth.ecruos

[+] Flam|14 years ago|reply

This is why I love NoScript. Viewed it no problems and easily saw what you were doing. Pretty clever trick, thank you.

[+] Zarel|14 years ago|reply

I recently learned about a similar trick that gets around NoScript:

http://citeomatic.com/_asdf.html

(This one only works in Firefox and Opera, not Chrome, sadly)

[+] sedev|14 years ago|reply

NoScript is the new antivirus, really.

[+] dcreemer|14 years ago|reply

  curl -v -H 'User-agent: Mozilla/5.0' 'http://www.kurlak.com/john/source.html'

[+] chrischen|14 years ago|reply

It says Chrome or Firefox.

[+] unknown|14 years ago|reply

[deleted]

[+] marcneuwirth|14 years ago|reply

You can also just type the view-source url directly into the address bar: view-source:http://www.kurlak.com/john/source.html

[+] lengarvey|14 years ago|reply

In chrome you can easily view the current source by opening the elements section of Developer Tools.

[+] nikcub|14 years ago|reply

'view source' for me has been command + option + j (dev console) for a while now. It will always show you the live element tree.

That said, pretty neat trick.

[+] The_Sponge|14 years ago|reply

That's what I went straight for, too.

[+] ngokevin|14 years ago|reply

Ha, nice try! I reverse-engineered it.

<html> <head> <title>Source</title> </head> <body> Can you view my source from Chrome or Firefox? </body> </html>

[+] pixeloution|14 years ago|reply

You missed a paragraph tag. And 'inspect element' in Chrome shows you the source.

[+] dante_dev|14 years ago|reply

found in 5 seconds, with firefox: ctrl+A, right click with mouse, View Selection Source

<html><head> <title>Source</title> <meta charset="UTF-8"> <script type="text/javascript"> history.replaceState(null, null, String.fromCharCode(8238) + 'lmth.ecruos'); </script> </head> <body> <p>Can you view my source from Chrome or Firefox?</p>

</body></html>

[+] Intermernet|14 years ago|reply

[deleted]

[+] vrotaru|14 years ago|reply

Right click - Inspect Element (from Chrome) did work for me.

[+] jvm|14 years ago|reply

That's actually not viewing the page source though. That's viewing the current DOM state. If the author was more clever he could have left you a little note to that effect.

[+] DanielRibeiro|14 years ago|reply

Yes I can view the source: https://gist.github.com/2097197

[+] nikcub|14 years ago|reply

    $ cat << ! | nc www.kurlak.com 80
    > GET /john/source.html HTTP/1.1
    > Host: www.kurlak.com
    > User-Agent: Mozilla/5.0 Chrome/1
    > 
    > !
    HTTP/1.1 200 OK
    Date: Mon, 19 Mar 2012 07:44:51 GMT
    Server: Apache
    Last-Modified: Mon, 19 Mar 2012 00:51:24 GMT
    Accept-Ranges: bytes
    Content-Length: 295
    Content-Type: text/html

    <!DOCTYPE html>

[+] tantalor|14 years ago|reply

You do know about `curl`, right?

[+] TooEasy|14 years ago|reply

<!DOCTYPE html> <html> <head> <title>Source</title> <meta charset="UTF-8"> <script type="text/javascript"> history.replaceState(null, null, String.fromCharCode(8238) + 'lmth.ecruos'); </script> </head> <body> <p>Can you view my source from Chrome or Firefox?</p> </body> </html>

This is on Firefox version 11.0. The creator of this page forgot the Firefox ecosystem has this nifty plug-in called NoScript.

[+] runevault|14 years ago|reply

Less clever than other people's solutions, but save-as works too.

[+] FaceKicker|14 years ago|reply

In Chrome at least, it also breaks going back to the cached page after first view using back/forward navigation. (Try clicking the link from HN, go "back", then go "forward" again.) This might be obvious to people who know anything about browser caching, but I thought it was kinda interesting.

[+] Elhana|14 years ago|reply

FF 3.6.26 complained "Error: history.replaceState is not a function: http://www.kurlak.com/john/source.html at line 7". Source opened just fine.

[+] aespinoza|14 years ago|reply

This is very interesting. I tried with the View Source option. Failed. But using the Debugger I got this:

<!DOCTYPE html> <html> <head> <title>Source</title> <meta charset="UTF-8"> <script type="text/javascript"> history.replaceState(null, null, 'source.html' + String.fromCharCode(8237)); </script> </head> <body> <p>Can you view my source from Chrome?</p> </body> </html>

[+] Brandon0|14 years ago|reply

Simple with Firebug: <!DOCTYPE html> <html> <head> <title>Source</title> <meta charset="UTF-8"> <script type="text/javascript"> history.replaceState(null, null, 'source.html' + String.fromCharCode(8237)); </script> </head> <body> <p>Can you view my source from Chrome?</p> </body> </html>

[+] RugerRedhawk|14 years ago|reply

Right click: Inspect Element

[+] pjscott|14 years ago|reply

That shows the current DOM state, not the source that created it. There's a distinction, especially if you use a lot of JavaScript to fiddle with the DOM.

[+] mkopinsky|14 years ago|reply

I loaded the page, went to Firebug script panel, set a breakpoint on the line of javascript, hit F5, when the breakpoint got hit, I just hit escape to prevent it from running. Then, Ctrl-U as usual.

Chrome is broken on my machine (proxy issues) so I didn't test there, but I assume the same technique would work.

[+] leppie|14 years ago|reply

IE seems to be the only browser not requesting the source again, which is what you would expect...

79 comments